Q: I have an active Twitter feed and occasionally use LinkedIn for work purposes, but I am unfamiliar with how those sites secure my privacy. I read that both sites have introduced “secure browsing” but what exactly does that mean, and how is it keeping me safer?
A: A secure website has “https” in its URL and has a small lock symbol next to it. It’s used by most banks and online retailers to provide secure transactions.
Well, now secure browsing is the default setting for all Twitter profiles. LinkedIn now offers it too, but you have to opt-in to use it; it is not a default setting yet. Remember that if you use Twitter or LinkedIn over an unencrypted wifi hotspot and do not have HTTPS enabled, a hacker could easily sniff your session cookie and steal your identity. As Twitter announced on its site:
Last year, we added the option to always use HTTPS when accessing Twitter.com on the web. This setting makes your Twitter experience more secure by protecting your information, and it’s especially helpful if you use Twitter over an unsecured Internet connection like a public wi-fi network.
Now, HTTPS will be on by default for all users, whenever you sign in to Twitter.com. If you prefer not use it, you can turn it off on your Account Settings page. HTTPS is one of the best ways to keep your account safe and it will only get better as we continue to improve HTTPS support on our web and mobile clients.
While making more secure default settings is a step in the right direction, the unfortunate news is that even HTTPS isn’t always 100% secure.
Recently, two security researchers discovered a serious weakness in this technology that allows hackers to read and steal supposedly encrypted data. These researchers demonstrated a program they developed called BEAST (Browser Exploit Against SSL/TLS) that exposes this vulnerability.
This program can read encrypted-data websites used to grant access to restricted user accounts. In their demo, the two researchers decrypted cookies used to access a PayPal account.
This vulnerability is just the latest found in HTTPS that almost more and more websites are using to supposedly protect their users.
Using a personal VPN like PRIVATE WiFi is the only way to protect yourself from this kind of attack in a WiFi hotspot, whether you are simply emailing or making any financial transaction using a credit card, updating your LinkedIn account, tweeting, paying with something via PayPal, or managing your online banking accounts.